hypercall_api/handlers/

rfq.rs

use crate::error::ApiError;
use crate::request_auth::verify_request;
pub use crate::rfq::handler_state::RfqHandlerState;
use crate::rfq::rfq_manager::{RfqLeg, RfqManager};
use crate::sonic_json::SonicJson;
use axum::extract::{Path, State};
use hypercall_auth::SignedAcceptRfqQuote;
use hypercall_runtime_api::RfqExecuteResult;
use hypercall_types::{
    AcceptRfqRequest, RfqAcceptResponse, RfqHistoryResponse, RfqLegResponse, RfqQuoteLegResponse,
    RfqQuoteResponse, RfqStatus, RfqStatusResponse, SubmitRfqRequest, WalletAddress,
};
use rust_decimal::Decimal;
use std::str::FromStr;
use tracing::info_span;
use tracing::Instrument;
use uuid::Uuid;

/// Core RFQ submission logic shared by the REST handler and the WebSocket handler.
///
/// Validates leg count/sizes, computes the canonical `legs_hash`, recovers the
/// EIP-712 signer, checks agent authorization, and delegates to `RfqManager`.
pub async fn submit_rfq_inner(
    rfq_manager: &RfqManager,
    agent_auth: &dyn hypercall_runtime_api::AgentAuthProvider,
    rfq_id_str: &str,
    legs: &[hypercall_types::RfqLegRequest],
    wallet_address: WalletAddress,
    nonce: u64,
    signature: &str,
    chain_id: u64,
) -> Result<crate::rfq::rfq_manager::RfqRecord, String> {
    let rfq_id = Uuid::parse_str(rfq_id_str).map_err(|_| "Invalid rfq_id format".to_string())?;

    if legs.is_empty() || legs.len() > 10 {
        return Err("RFQ must have 1-10 legs".to_string());
    }

    // Parse and validate leg sizes. Direction is carried by `side`, so
    // sizes must be strictly positive; a negative or zero size would
    // otherwise flow into execution, invert the premium/margin sign in
    // `execute_rfq_inner` + `check_margin_for_order`, and let malformed
    // RFQs pass risk checks or mutate positions incorrectly.
    let parsed_legs: Vec<RfqLeg> = legs
        .iter()
        .map(|l| {
            let size = l
                .size
                .parse::<Decimal>()
                .map_err(|_| "Invalid leg size".to_string())?;
            if size <= Decimal::ZERO {
                return Err(format!(
                    "Leg size must be strictly positive, got {} for instrument {}",
                    size, l.instrument
                ));
            }
            Ok(RfqLeg {
                instrument: l.instrument.clone(),
                side: l.side,
                size,
            })
        })
        .collect::<Result<Vec<_>, String>>()?;

    // Compute legs_hash (canonical encoding for signature verification)
    let legs_hash = compute_legs_hash_from_legs(legs)?;

    let verification_request = SubmitRfqRequest {
        rfq_id: rfq_id_str.to_string(),
        legs: legs.to_vec(),
        wallet_address,
        nonce,
        signature: signature.to_string(),
        auto_accept_limit: None,
    };
    let authorized =
        verify_request(agent_auth, &verification_request, chain_id).map_err(|e| e.to_string())?;

    rfq_manager
        .submit_rfq(
            rfq_id,
            wallet_address,
            authorized.signer.signer_address,
            parsed_legs,
            legs_hash,
            signature.to_string(),
            nonce,
            None,
        )
        .await
        .map_err(|e| e.to_string())
}

/// Core RFQ auto-execute submission logic shared by the REST handler and the
/// WebSocket handler. Similar to `submit_rfq_inner` but verifies the
/// `SubmitAutoExecuteRfq` EIP-712 signature (which includes `limitPrice`)
/// and passes the auto-accept limit through to the RFQ manager.
#[allow(clippy::too_many_arguments)]
pub async fn submit_auto_execute_rfq_inner(
    rfq_manager: &RfqManager,
    agent_auth: &dyn hypercall_runtime_api::AgentAuthProvider,
    rfq_id_str: &str,
    legs: &[hypercall_types::RfqLegRequest],
    wallet_address: WalletAddress,
    limit_price_str: &str,
    nonce: u64,
    signature: &str,
    chain_id: u64,
) -> Result<crate::rfq::rfq_manager::RfqRecord, String> {
    let rfq_id = Uuid::parse_str(rfq_id_str).map_err(|_| "Invalid rfq_id format".to_string())?;

    if legs.is_empty() || legs.len() > 10 {
        return Err("RFQ must have 1-10 legs".to_string());
    }

    let limit_price = limit_price_str
        .parse::<Decimal>()
        .map_err(|_| "Invalid limit_price format".to_string())?;
    if limit_price <= Decimal::ZERO {
        return Err("limit_price must be positive".to_string());
    }

    // Parse and validate leg sizes (same validation as submit_rfq_inner)
    let parsed_legs: Vec<RfqLeg> = legs
        .iter()
        .map(|l| {
            let size = l
                .size
                .parse::<Decimal>()
                .map_err(|_| "Invalid leg size".to_string())?;
            if size <= Decimal::ZERO {
                return Err(format!(
                    "Leg size must be strictly positive, got {} for instrument {}",
                    size, l.instrument
                ));
            }
            Ok(RfqLeg {
                instrument: l.instrument.clone(),
                side: l.side,
                size,
            })
        })
        .collect::<Result<Vec<_>, String>>()?;

    let legs_hash = compute_legs_hash_from_legs(legs)?;

    let verification_request = SubmitRfqRequest {
        rfq_id: rfq_id_str.to_string(),
        legs: legs.to_vec(),
        wallet_address,
        nonce,
        signature: signature.to_string(),
        auto_accept_limit: Some(limit_price_str.to_string()),
    };
    let authorized =
        verify_request(agent_auth, &verification_request, chain_id).map_err(|e| e.to_string())?;

    rfq_manager
        .submit_rfq(
            rfq_id,
            wallet_address,
            authorized.signer.signer_address,
            parsed_legs,
            legs_hash,
            signature.to_string(),
            nonce,
            Some(limit_price),
        )
        .await
        .map_err(|e| e.to_string())
}

/// POST /rfq/request - Submit a new RFQ
pub async fn submit_rfq(
    State(state): State<RfqHandlerState>,
    SonicJson(request): SonicJson<SubmitRfqRequest>,
) -> Result<SonicJson<RfqStatusResponse>, ApiError> {
    let span = info_span!("api.submit_rfq", wallet = %request.wallet_address);
    async move {
        // If auto_accept_limit is provided, use the auto-execute path
        if let Some(ref limit_str) = request.auto_accept_limit {
            let record = submit_auto_execute_rfq_inner(
                &state.rfq_manager,
                state.agent_auth.as_ref(),
                &request.rfq_id,
                &request.legs,
                request.wallet_address,
                limit_str,
                request.nonce,
                &request.signature,
                state.signing_chain_id,
            )
            .await
            .map_err(|e| ApiError::bad_request(&e))?;
            return Ok(SonicJson(rfq_record_to_response(&record)));
        }

        let record = submit_rfq_inner(
            &state.rfq_manager,
            state.agent_auth.as_ref(),
            &request.rfq_id,
            &request.legs,
            request.wallet_address,
            request.nonce,
            &request.signature,
            state.signing_chain_id,
        )
        .await
        .map_err(|e| ApiError::bad_request(&e))?;

        Ok(SonicJson(rfq_record_to_response(&record)))
    }
    .instrument(span)
    .await
}

/// Core RFQ accept logic shared by the REST handler and the WebSocket handler.
///
/// Parses IDs, verifies the taker EIP-712 `AcceptRFQQuote` signature, checks
/// agent authorization, and delegates to `RfqManager::accept_quote`.
pub async fn accept_rfq_quote_inner(
    rfq_manager: &RfqManager,
    agent_auth: &dyn hypercall_runtime_api::AgentAuthProvider,
    rfq_id_str: &str,
    quote_id_str: &str,
    wallet_address: WalletAddress,
    nonce: u64,
    signature: &str,
    chain_id: u64,
) -> Result<RfqAcceptResponse, String> {
    let rfq_id = Uuid::parse_str(rfq_id_str).map_err(|_| "Invalid rfq_id format".to_string())?;
    let quote_id =
        Uuid::parse_str(quote_id_str).map_err(|_| "Invalid quote_id format".to_string())?;

    // We need the net_premium from the stored quote to verify the signature.
    let rfq_record = rfq_manager
        .get_rfq(&rfq_id)
        .ok_or_else(|| "RFQ not found".to_string())?;
    let quote = rfq_record
        .quotes
        .iter()
        .find(|q| q.quote_id == quote_id)
        .ok_or_else(|| "Quote not found".to_string())?;

    use rust_decimal::prelude::ToPrimitive;
    let premium_micro = (quote.net_premium * Decimal::new(1_000_000, 0))
        .to_i64()
        .ok_or_else(|| "Net premium overflow".to_string())?;
    let net_premium_i256 = alloy::primitives::I256::try_from(premium_micro)
        .map_err(|e| format!("I256 conversion: {}", e))?;

    let verification_request = AcceptRfqRequest {
        rfq_id: rfq_id_str.to_string(),
        quote_id: quote_id_str.to_string(),
        wallet_address,
        nonce,
        signature: signature.to_string(),
    };
    let authorized = verify_request(
        agent_auth,
        &SignedAcceptRfqQuote {
            request: &verification_request,
            net_premium: net_premium_i256,
        },
        chain_id,
    )
    .map_err(|e| e.to_string())?;

    let result = rfq_manager
        .accept_quote(
            rfq_id,
            quote_id,
            wallet_address,
            signature.to_string(),
            authorized.signer.signer_address,
            authorized.nonce,
        )
        .await
        .map_err(|e| e.to_string())?;

    match result {
        RfqExecuteResult::Success { fill_id } => Ok(RfqAcceptResponse {
            rfq_id: rfq_id_str.to_string(),
            quote_id: quote_id_str.to_string(),
            status: RfqStatus::Executed,
            fill_id,
        }),
        RfqExecuteResult::Failed { reason } => Err(format!("RFQ execution failed: {}", reason)),
    }
}

/// POST /rfq/accept - Accept a firm quote
pub async fn accept_rfq_quote(
    State(state): State<RfqHandlerState>,
    SonicJson(request): SonicJson<AcceptRfqRequest>,
) -> Result<SonicJson<RfqAcceptResponse>, ApiError> {
    let span = info_span!("api.accept_rfq_quote", wallet = %request.wallet_address);
    async move {
        let response = accept_rfq_quote_inner(
            &state.rfq_manager,
            state.agent_auth.as_ref(),
            &request.rfq_id,
            &request.quote_id,
            request.wallet_address,
            request.nonce,
            &request.signature,
            state.signing_chain_id,
        )
        .await
        .map_err(|e| ApiError::bad_request(&e))?;

        Ok(SonicJson(response))
    }
    .instrument(span)
    .await
}

/// GET /rfq/:rfq_id - Get RFQ status and quotes
pub async fn get_rfq(
    State(state): State<RfqHandlerState>,
    Path(rfq_id): Path<String>,
) -> Result<SonicJson<RfqStatusResponse>, ApiError> {
    let rfq_uuid =
        Uuid::parse_str(&rfq_id).map_err(|_| ApiError::bad_request("Invalid rfq_id format"))?;

    let record = state
        .rfq_manager
        .get_rfq(&rfq_uuid)
        .ok_or_else(|| ApiError::not_found("RFQ not found"))?;

    Ok(SonicJson(rfq_record_to_response(&record)))
}

/// GET /rfq/history?wallet=0x... - List past RFQs for wallet
pub async fn get_rfq_history(
    State(state): State<RfqHandlerState>,
    axum::extract::Query(params): axum::extract::Query<RfqHistoryQuery>,
) -> Result<SonicJson<RfqHistoryResponse>, ApiError> {
    let wallet = WalletAddress::from_str(&params.wallet)
        .map_err(|_| ApiError::bad_request("Invalid wallet address"))?;

    let records = state.rfq_manager.get_history(&wallet);
    let rfqs = records.iter().map(rfq_record_to_response).collect();

    Ok(SonicJson(RfqHistoryResponse { rfqs }))
}

#[derive(serde::Deserialize)]
pub struct RfqHistoryQuery {
    pub wallet: String,
}

// Helpers

/// Compute the canonical legs hash from a slice of `RfqLegRequest`.
///
/// Canonical encoding: each leg is "instrument|side|size" joined by ";".
/// `size` is parsed to Decimal and formatted back to its canonical
/// `Decimal::to_string()` form so the hash matches what QPs later
/// compute after receiving the same legs as parsed Decimals
/// (`l.size.to_string()` in `rfq_responder::price_rfq`). Without this
/// canonicalization, a taker that signs "01.0" or "+5" would have the
/// submission accepted, then every QP quote would fail signature
/// verification at accept time because the QP's `legs_hash` is over
/// "1.0" / "5". Fail loudly at submit instead.
pub(crate) fn compute_legs_hash_from_legs(
    legs: &[hypercall_types::RfqLegRequest],
) -> Result<[u8; 32], String> {
    hypercall_auth::compute_rfq_legs_hash(legs)
}

fn rfq_record_to_response(record: &crate::rfq::rfq_manager::RfqRecord) -> RfqStatusResponse {
    RfqStatusResponse {
        rfq_id: record.rfq_id.to_string(),
        status: record.status,
        underlying: record.underlying.clone(),
        legs: record
            .legs
            .iter()
            .map(|l| RfqLegResponse {
                instrument: l.instrument.clone(),
                side: l.side,
                size: l.size,
            })
            .collect(),
        quotes: record
            .quotes
            .iter()
            .map(|q| RfqQuoteResponse {
                quote_id: q.quote_id.to_string(),
                net_premium: q.net_premium,
                legs: q
                    .legs
                    .iter()
                    .map(|l| RfqQuoteLegResponse {
                        instrument: l.instrument.clone(),
                        side: l.side,
                        price: l.price,
                        size: l.size,
                    })
                    .collect(),
                expires_at: q.received_at + q.valid_for_ms,
            })
            .collect(),
        created_at: record.created_at,
        expires_at: record.expires_at,
    }
}